cbcvebase.
CVE-2018-11652
published 2018-06-01

CVE-2018-11652: CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header…

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.73%
97.6th percentile
CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.

Affected

6 ranges
VendorProductVersion rangeFixed in
cirt.netnikto<= 2.1.6
debiannikto< nikto 1:2.1.5-3 (bookworm)nikto 1:2.1.5-3 (bookworm)
niktonikto>= 0 < 1:2.1.5-31:2.1.5-3
niktonikto>= 0 < 1:2.1.5-31:2.1.5-3
niktonikto>= 0 < 1:2.1.5-31:2.1.5-3
niktonikto>= 0 < 1:2.1.5-31:2.1.5-3

Detection & IOCsextracted from sources · hover to see the quote

other=cmd|' /C calc'!'A1'
  • Malicious HTTP Server response header containing CSV injection payload (formula starting with '=cmd|') — monitor for Server headers with formula-injection characters (=, +, -, @) followed by cmd or shell commands in HTTP responses received by Nikto during scans.
  • Upstream patch available at GitHub commit e759b3300aace5314fe3d30800c8bd83c81c29f7 — diff can be used to identify the unsanitized CSV output code path in Nikto's report generation.
  • Attack requires Nikto to be run with CSV output (-o <file>.csv); detection should focus on Nikto invocations that write CSV reports against attacker-controlled servers.
  • ·nginx-extras is required on the attacker's server to set arbitrary Server headers via more_set_headers; standard nginx does not support this directive.
  • ·server_tokens must be set to off in nginx.conf to prevent the default nginx version string from overriding the injected Server header value.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.